Inside Endgame: A Second Act For The Blackwater Of Hacking

In the classic hacker career narrative, a juvenile genius breaks into the Internet's most sensitive networks, gets caught and then settles into a lucrative corporate gig selling his skills for defense. Nate Fick is trying to pull off the same story with an entire company.

Fourteen months ago Fick took over as chief executive of Endgame, perhaps the most controversial name in Washington, D.C. cybersecurity contracting. For years Endgame's elite hackers worked in the shadows of the Beltway to build and sell "zero-day exploits," an industry term for malicious code that abuses a previously unidentified vulnerability. As a contractor to military and intelligence agencies including the NSA, it enabled some of those customers' most intrusive spying practices by offering ways to break into software from the likes of
Microsoft,
IBM and Cisco for millions of dollars.

Fick's daunting task now: To shift his firm's focus to the far wider market in commercial defense products--and in the process, to shed its reputation as the Blackwater of hacking. The 36-year-old CEO, a former elite Marine reconnaissance captain who served in Iraq and Afghanistan before developing what he describes as a personal distaste for violence, hints at a motivation for the change beyond profit. An ethical cloud still hangs over Endgame for its track record in undermining the Internet's security.

Fick's first move: taking Endgame out of the zero-day exploit game. "The exploit business is a crummy business to be in," says Fick, sitting at a coffee shop near Endgame's unmarked office in Arlington, Va., which has never before allowed a reporter inside. "If we're going to build a top-tier security firm, we have to do things differently.... This is one of those happy circumstances where business realities, reputational concerns and my personal feelings aligned."

The company now touts itself as a Big Data analysis firm, selling "vulnerability intelligence" software that alerts clients to digital risks. Its tools pull together information from sources ranging from a customer's antivirus programs and intrusion detection system to its human resources and physical security data, and pairs the information with Endgame's own research on malware and blacklisted IP addresses. Integrating those feeds into a slick user interface, its software shows any anomaly that might represent a security threat, whether a hijacked computer sending source code to Pakistan or a rogue IT employee badging in at midnight to print the finance department's sensitive documents.

Endgame's new business direction helped the company raise a second round of financing last year, led by homeland-security-focused Paladin Capital, bringing its total investment to $60 million after earlier investments by Bessemer Venture Partners, Kleiner Perkins Caufield & Byers and others. By FORBES' estimate the company earned $20 million in revenue in 2013; Fick aims to more than double that number in 2014 and flip the balance of sales so that the majority within two years comes from the private sector.

But Fick's friendlier face for Endgame isn't the full story. Its board still includes former NSA chief Kenneth Minihan, and it's chaired by Christopher Darby, director of the CIA-backed venture firm In-Q-Tel. Though Fick says Endgame no longer sells exploits, the company doesn't deny that it still sells tools to the federal government that can be used for offensive hacking--the digital equivalent of stocks, sights and barrels, if not the bullets. After all, the same "vulnerability intelligence" that finds chinks in a customer's armor can also be used to discover them in a surveillance target.

Case in point: Inside Endgame's startup-style office, complete with a ping-pong table and entertainment console covered in hacker-themed DVDs, an engineer shows me an older product code-named Bonesaw. ("We're trying to come up with less 'interesting' names," quips Chief Strategy Officer Niloofar Howe.) Bonesaw pulls Internet data to show what software runs on which machines around the globe, like a
Google Maps for hackers. With a few clicks a user can zero in on a computer and see its vulnerabilities along with a list of publicly available techniques to hack it.

Fick won't say what Endgame's government customers might do with that tool. In fact, he won't comment at all on the specifics of Endgame's government business, citing secrecy agreements. In a year in which the NSA has been accused of out-of-control spying, that lack of transparency leaves critics to assume the worst.

"It sounds to me like they're trying to put a rose on a pig," says James Bamford, author of three books on the NSA and a vocal critic of Endgame's practices. "If you're saying you're on the right path but won't say what you're doing, the burden's on you."

Critics can't deny, however, that Fick's Endgame is different from the one he inherited from his predecessor Chris Rouland. In the late 1980s Rouland tried out rogue intrusion as a young hacker under the handle Mr. Fusion before putting his skills to use for the feds. He eventually became the CTO of Internet Security Systems and spun Endgame out of the company in 2008 after ISS was acquired by IBM for $1.3 billion. Under Rouland, the company offered an extensive package of zero-day exploits for $2.5 million a year, boasting of potential targets including Russian oil refineries and the Venezuelan Ministry of Defense, and promising "zero disclosure of discovered vulnerabilities" to software makers who could patch their weaknesses. "We don't ever want to see our name in a press release," Rouland wrote to a colleague in early 2010.

That clandestine business came to light only when the hacker group Anonymous penetrated Endgame partner HBGary Federal and published thousands of the company's e-mails, including HBGary Federal's proposal to attack donors and supporters of WikiLeaks on behalf of Bank of America. While other companies associated with the hacked firm apologized, Endgame became even more secretive, taking its website offline and scuttling its early commercial offerings. "Going dark was emphatically the wrong approach," says Fick. "If you're not telling your own story, people tell it for you."

Fick, who worked at Bessemer Venture Partners and a Washington think tank after the military, was brought in by Endgame's board to change that story. Kleiner Perkins' Ted Schlein says he was impressed with Fick's military-honed decisiveness. "I see things in him as a first-time CEO that I usually see in a second- or third-time CEO," says Schlein.

Fick says he quickly nixed the zero-day development business and began hiring executives with commercial-software backgrounds. He considered changing the company's name but decided it held too much branding value. "The name's cool," Fick says.

Endgame has never apologized for its history, and Fick refuses to start. "Apologize for what?" he asks. And he acknowledges that Endgame's reputation provides a recruiting edge he's reluctant to give up. "The guys who are really good at vulnerability research don't want to go play in the sandbox and do penetration testing. They want to do it for real."

Exactly what "doing it for real" entails, Fick won't say. He's visibly uncomfortable stonewalling questions, and cites his preference for transparency. In his days as a marine lieutenant leading one of the first platoons to invade Iraq, he even allowed a Rolling Stone reporter to leave recording devices in his troops' humvees. Those recordings became the source material for the book and HBO TV series Generation Kill, in which Fick's character plays a central role. "People have the right to know what's going on," Fick says of his decision to shed light on the military's work. "A society that's connected to its wars will go to war less often and will be committed to winning when it does."

The same could be said of cyberwar--and the companies that enable it. Until Fick brings the darker part of Endgame's business out of the shadows, his hacker-gone-straight story will have a major plot hole.

I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.